Spyware hampers complicance plans

Does spyware pose a threat to enterprise compliance initiatives?

In the wake of multiple data-breach disclosures and additional state laws governing such breaches, many companies are surveying the conduits through which sensitive information can escape the enterprise. All told, 19 states have passed customer-notification laws, modeled after California’s SB 1386, and 21 other states are still considering such measures. The most recent law went into effect this week in New York and protects such information as Social Security numbers, driver’s license and bank account numbers, and non-driver ID card numbers. The fine for non-compliance is up to $10 per instance of failed notification.

Spyware can record keystrokes and upload information to an attacker, making it a potent data-breach threat. Indeed, “increasing concern about spyware is at the root of these laws and regulations,” notes a recent report from Webroot, which develops anti-spyware software. “Failure to take spyware seriously may expose an enterprise to substantial risks, including prosecution by the FTC or non-compliance with HIPAA or [the] Gramm-Leach-Bliley Act,” the company says.

Webroot polled security professionals to gauge their approach to spyware. Overwhelmingly (98 percent), security professionals see spyware as a threat to the enterprise. In addition, “more than 80 percent said the worst kinds of spyware—key-loggers, system monitors and Trojan horses—that can access confidential records represent an immediate threat,” notes Webroot. Furthermore, 97 percent worry spyware could access confidential employee data or intellectual property. Yet “despite these figures, many corporations surveyed have yet to protect their information with suitable anti-spyware software,” Webroot claims.